Join GitHub today
GitHub is home to over 40 million developers working together to host and review code, manage projects, and build software together.Sign up
Request for Mozilla Position on an Emerging Web Specification
The User Agent Client Hint proposal is destined to replace the
The above will enable browsers to keep track of servers that collect that information, and take actions to protect users' privacy in cases where that collection is likely abusing it.
Another interesting characteristic of reseting access to the UA string is that it can allow browsers to apply GREASE to the new values, in order to prevent the negative implications of UA sniffing seen on the web today.
Hey @yoavweiss - sorry for the delay here. I've been having discussions with Tanvi and @martinthomson about the User Agents Hints proposal and here's some draft language that could maybe result in a position:
The UA Hints proposal aims to solve the following problems associated with the User Agent (UA) string: UA sniffing, UA spoofing, and an entropy-rich target for fingerprinting. The proposal is to build on top of the Client Hints infrastructure and solve these problems over time.
(Draft) Mozilla's Position
Using Client Hints to deliver info derived from the User Agent header for servers who specifically request this information may reduce the number of parties that can use this information for passively fingerprinting users. However, we could reduce this even further by freezing the User Agent string and requiring resources to actively request this information via the proposed NavigatorUAData interface JS APIs. This would also allow us to audit the callers. At this time, freezing the User Agent string without any client hints—seems worth-prototyping. We look forward to learning from other vendors who implement the “GREASE-like UA Strings” proposal and its effects on site compatibility.
Less formal version:
We're very interested in the freezing UA string stuff and
But I don't think the positive points change our position on Client HInts (which is currently "non-harmful"). @martinthomson could probably expound on that.